Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inaccurate macOS display name #3363

Closed
jnasselle opened this issue Sep 23, 2022 · 4 comments
Closed

Inaccurate macOS display name #3363

jnasselle opened this issue Sep 23, 2022 · 4 comments
Assignees
@mauromalara
Labels
dev-testing

Comments

@jnasselle
Copy link
Member

jnasselle commented Sep 23, 2022
edited by damarisg
Loading

Target version Related issue Related PR
4.4 wazuh/wazuh#14729 wazuh/wazuh#14822

Description

This issue aims to request Manual testing on PR wazuh/wazuh#14822.

Short problem description: some macOS OS versions (from Sierra to Catalina) show themselves (in the default OS information tool) as MacOS X, while their proper name is macOS. This inaccurate OS name is affecting both OS inventory information and Manager's agent list information. Analysis

Changes

  • Short problem proposed solution: change default tool sw_vers to system_profiler to internally retrieve OS name

    • Change inventory retrieving module (syscollector module) key component (sysinfo/data_provider library) responsible for retrieving OS information. THIS CODE IS ONLY COMPILED AND USED ON MACOS SYSTEMS.
    • Change agent side mechanism responsible for updating agent information on the manager (wazuh-agentd' keepalive)

  • Known/considered scope

    • Agent inventory (OS)
    • Agent information stored on the Manager agent list
    • Vuln detector: our research indicate that VD is not affected by proposed changes

Steps to reproduce

  • Install Wazuh agent on any macOS system from Sierra to the last supported one (there's no official information from Wazuh side. @tsarquis88 test on Monterrey )

Results before changes

  • Wazuh Manager show, in every possible data interface (like API, Dashboard, Manager's CLI tools) MacOS X as OS name from Sierra to Catalina, and macOS from BigSur to the last supported one

Results after changes

  • Wazuh Manager show, in every possible data interface (like API, Dashboard, Manager's CLI tools) macOS as OS name from Sierra to the last supported one

Test cases

  • Reproduce the error in production (Manager 4.3.8 - Agents 4.3.8)

    Check the OS name in [Dashboard]
    • Overview > Integrity monitoring
    • Agents overview
    • Inventory data
    Check the OS name in [API]
    • Get agent OS
    • List agents (filter by os name)
    • Get agents overview
    • Delete agents (filter by os name)
    • Get agents in a group (filter by os name)
    • List agents distinct
    • Summarize agents OS
    • Upgrade agents
    • Get upgrade results
    Check the OS name in [Manager Database]
    • Query the manager database to get information about the agent

  • Upgrade to the fixed version (Manager 4.3.8 -> 4.4.0 | Agents 4.3.8 -> 4.4.0)

    • Upgrade agent through WPK
    • Check the OS name in [Dashboard]
    • Check the OS name in [API]
    • Check the OS name in [Manager Database]

  • Fresh install (Manager 4.4.0 - Agents 4.4.0)

    • Check the OS name in [Dashboard]
    • Check the OS name in [API]
    • Check the OS name in [Manager Database]
@jnasselle jnasselle mentioned this issue Sep 24, 2022
Closed
9 tasks
@mauromalara mauromalara self-assigned this Sep 26, 2022
@mauromalara
Copy link
Contributor

mauromalara commented Sep 26, 2022
edited by jnasselle
Loading

Tester review

Tester PR commit
@mauromalara 667da4f

Testing environment

OS OS version Deployment Image/AMI Notes
macOS Sierra (10.12) Vagrant macos-1012
macOS Big Sur (11.0.1) Vagrant macos-1100

Tested packages

OS Packages Old packages Notes
macOS Agent Agent 4.3.7
Centos Manager - Indexer - We had to ask the Frontend team to create a custom Wazuh App package so that we could generate a valid Wazuh Dashboard package.

Status

  • In progress
  • Pending Review
  • QA team leader approved (@damarisg)
  • QA manager approved (@jmv74211)
  • Development team leader approved (@jnasselle)

Conclusion 🟡

Some of the required checks could not be performed (they were marked with 🟡) because of an error when upgrading a macOS agent through WPK. However, this bug is not related to the development, so the testing has been passed successfully ✅ and the results are detailed below:


Note: I chose to test only on 2 versions of the macOS operating system, as there are 2 groups:

  • Versions with the OS name: Mac OS X (from Sierra to Catalina).
  • Versions with the OS name: macOS (from Big Sur to Ventura)

And the development team had tested on Monterey and Sierra, so I decided to test on:

  • Sierra
  • Big Sur

@mauromalara mauromalara moved this to Triage in Release 4.4.0 Sep 26, 2022
@mauromalara mauromalara moved this from Triage to In Progress in Release 4.4.0 Sep 26, 2022
@jmv74211 jmv74211 added this to the Core PRs approval - 4.4.0 milestone Sep 28, 2022
@jmv74211 jmv74211 removed this from Release 4.4.0 Sep 28, 2022
@mauromalara
Copy link
Contributor

mauromalara commented Sep 28, 2022
edited
Loading

Testing results

macOS Sierra 🟡

Reproduce the error in production (Manager 4.3.8 - Agents 4.3.8) 🟢

Check the OS name in Dashboard 🟢

Agents overview 🟢
  1. On the Home page, select "Total agents"

image

Inventory data 🟢
  1. On the Home page, select "Total agents"
  2. Select the macOS Sierra agent
  3. Select "Inventory data"

image

Conclusion: The names of the OS are different in all views as expected.

Check the OS name in API 🟢

Before querying the API it is necessary to store the token in an environment variable by running:

TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
Get agent OS 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/syscollector/001/os?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "Mac OS X"
            },
            "agent_id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All specified syscollector information was returned",
   "error": 0
}
List agents (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents?os.name=Mac+OS+X&select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "Mac OS X"
            },
            "id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
Get agents overview 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/overview/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
.
.
      "agent_os": [
         {
            "os": {
               "name": "Mac OS X",
               "platform": "darwin",
               "version": "10.12.6"
            },
            "count": 1
         },
.
.
Delete agents (filter by os name) 🟢
  1. Check if the agent is deleted when using the "Mac OS X" OS name:
curl -k -X DELETE "https://localhost:55000/agents?os.name=Mac+OS+X&agents_list=all&status=all&older_than=0s&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         "001"
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents were deleted",
   "error": 0
}
Get agents in a group (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/groups/default/agents?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "os": {
      "name": "Mac OS X"
   },
   "id": "003"
}
List agents distinct (filter by OS name and ID) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents/stats/distinct?fields=os.name,id&q="os.name=Mac+OS+X"&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "Mac OS X"
            },
            "count": 1,
            "id": "003"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
Upgrade agents 🟢

Note: To do this, it is necessary to downgrade the agent from v4.3.8 to v4.3.7

  1. Uninstall the agent v4.3.8:
/Library/Ossec/bin/wazuh-control stop
/bin/rm -r /Library/Ossec
/bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
/bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
/bin/rm -rf /Library/StartupItems/WAZUH
/usr/bin/dscl . -delete "/Users/wazuh"
/usr/bin/dscl . -delete "/Groups/wazuh"
/usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
  1. Remove the agent 001 from the manager:
/var/ossec/bin/manage_agents -r 001
  1. Install the agent v4.3.7, renew the root CA certificate, and start it:
curl -O https://packages.wazuh.com/4.x/macos/wazuh-agent-4.3.7-1.pkg
launchctl setenv WAZUH_MANAGER "172.31.10.106" && installer -pkg wazuh-agent-4.3.7-1.pkg -target /
curl -O https://raw.githubusercontent.com/wazuh/wazuh/00718e3720d127c44d73d7c9b093d90a918790a0/etc/wpk_root.pem
mv ./wpk_root.pem /Library/Ossec/etc/wpk_root_2022.pem
sed -i.bu 's/<ca_store>etc\/wpk_root.pem<\/ca_store>/<ca_store>etc\/wpk_root_2022.pem<\/ca_store>/g' /Library/Ossec/etc/ossec.conf
/Library/Ossec/bin/wazuh-control start
  1. Change the upgrade timeout (see #Upgrading macOS agent via WPK returns timeout wazuh#14856) by adding the following configuration to the Manager:
  <task-manager>
    <task_timeout>45m</task_timeout>
  </task-manager>
  1. Restart the manager:
systemctl restart wazuh-manager
  1. Check if the agent is updated when using the "Mac OS X" OS name:
curl -k -X PUT "https://localhost:55000/agents/upgrade?agents_list=001&os.name=Mac+OS+X&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "agent": "001",
            "task_id": 1
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All upgrade tasks were created",
   "error": 0
}
Get upgrade results 🟢
  1. Check if the API responses when using the "Mac OS X" OS name as a parameter:
curl -k -X GET "https://localhost:55000/agents/upgrade_result?agents_list=001&os.name=Mac+OS+X&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "message": "Success",
            "agent": "001",
            "task_id": 1,
            "node": "master",
            "module": "upgrade_module",
            "command": "upgrade",
            "status": "Updating",
            "create_time": "2022-10-05T21:21:19Z",
            "update_time": "2022-10-05T21:21:19Z"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All upgrade tasks were returned",
   "error": 0
}
Check the OS name in Manager Database 🟢
  1. Check if the OS name is displayed as expected:
sqlite3 -header -column /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR, OS_MINOR, OS_ARCH FROM AGENT WHERE ID = 1"
os_name     os_major    os_minor    os_arch
----------  ----------  ----------  ----------
Mac OS X    10          12          x86_64

Conclusion: The name of the OS is different in all views as expected.

Upgrade to the fixed version (Manager 4.4.0 | Agents 4.3.8 -> 4.4.0) 🟡

Upgrade from packages 🟢

Note: It was not necessary to test the update through packages, however, we tested it.

  1. Download the package and upgrade Wazuh
sh-3.2# curl -sO https://packages-dev.wazuh.com/warehouse/test/4.4/macos/wazuh-agent-4.4.0-0.commit667da4f.pkg
sh-3.2# installer -pkg wazuh-agent-4.4.0-0.commit667da4f.pkg -target /
installer: Package name is Wazuh Agent
installer: Upgrading at base path /
installer: The upgrade was successful.
  1. Check if Wazuh is running
sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
  1. Check the version of Wazuh
sh-3.2# /Library/Ossec/bin/wazuh-control info
WAZUH_VERSION="v4.4.0"
WAZUH_REVISION="40400"
WAZUH_TYPE="agent"
  1. Check if Wazuh is restarted correctly
sh-3.2# /Library/Ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.4.0 Stopped
Starting Wazuh v4.4.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Conclusion: The agent was upgraded successfully.

Upgrade the agent through WPK 🟡
  1. In the manager, generate the certificates:
openssl req -x509 -new -nodes -newkey rsa:2048 -keyout wpk_root.key -out wpk_root.pem -batch
openssl req -new -nodes -newkey rsa:2048 -keyout wpkcert.key -out wpkcert.csr -subj '/C=US/ST=CA/O=Wazuh'
openssl x509 -req -days 365 -in wpkcert.csr -CA wpk_root.pem -CAkey wpk_root.key -out wpkcert.pem -CAcreateserial
  1. Install requirements to generate the WPK package:
python -m pip install cryptography
yum install make gcc policycoreutils-python automake autoconf libtool unzip
  1. Download the package and the repo (using the last commit of this PR), and enter the repo folder
curl -O https://packages-dev.wazuh.com/warehouse/test/4.4/macos/wazuh-agent-4.4.0-0.commit667da4f.pkg
curl -sL https://github.com/wazuh/wazuh/tarball/272fc4e7f83e789abf39f41b0be3e240e063abd6 | tar zx
cd wazuh-wazuh-272fc4e/
  1. Overwrite the root certificate
cp /home/qa/wpk_root.pem etc/wpk_root.pem
  1. Compile the WPK package:
tools/agent-upgrade/wpkpack.py /home/qa/myagent.wpk /home/qa/wpkcert.pem /home/qa/wpkcert.key /home/qa/wazuh-agent-4.4.0-0.commit667da4f.pkg /home/qa/wazuh-wazuh-272fc4e/upgrade.sh src/init/pkg_installer_mac.sh

Note: /home/qa/myagent.wpk is where the WPK package will be stored.

  1. Copy the generated root certificate into the agent (from the manager):
scp -P <PORT> /home/qa/wpk_root.pem vagrant@<IP>:/Users/vagrant
  1. In the agent, overwrite the root CA with the generated certificate:
cp /Users/vagrant/wpk_root.pem /Library/Ossec/etc/wpk_root.pem
  1. Change the upgrade timeout (see Upgrading macOS agent via WPK returns timeout wazuh#14856) by adding the following configuration to the Manager:
  <task-manager>
    <task_timeout>45m</task_timeout>
  </task-manager>
  1. Restart the manager:
systemctl restart wazuh-manager
  1. Upgrade the agent using the generated WPK package
/var/ossec/bin/agent_upgrade -a 001 -f /home/qa/myagent.wpk -x upgrade.sh

Upgrading...

Failed upgrades:
        Agent 003 status: Send upgrade command error

Note: The ossec.log file, from the agent, does not show any error.

Conclusion: The upgrade was not completed correctly, so I cannot check if the name of the OS is correct or not. Opened issue: wazuh/wazuh#15081

Check the OS name in Dashboard 🟡

Note: Maybe the name of the operating system is not displayed correctly, this is because the Wazuh APP package is under development (wazuh/wazuh-dashboard-plugins#4160) and does not have a stable version yet.

Agents overview 🟡

  1. On the Home page, select "Total agents"

image

Inventory data 🟢

  1. On the Home page, select "Total agents"
  2. Select the macOS Sierra agent
  3. Select "Inventory data"

image

Conclusion: The names of the OS are different in all views as expected.

Check the OS name in API 🟢

Before querying the API it is necessary to store the token in an environment variable by running:

TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

The agents information is the following:

/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ip-172-31-13-132.ec2.internal (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: macos-1012, IP: any, Active
   ID: 002, Name: macos-1100, IP: any, Active
Get agent OS 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/syscollector/001/os?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "agent_id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All specified syscollector information was returned",
   "error": 0
}
List agents (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents?os.name=macOS&select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "001"
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "002"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
Get agents overview 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/overview/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
.
.
         {
            "os": {
               "name": "macOS",
               "platform": "darwin",
               "version": "10.12.6"
            },
            "count": 1
         },
.
.
Delete agents (filter by os name) 🟢
  1. Check if the agent is deleted when using the "macOS" OS name:
curl -k -X DELETE "https://localhost:55000/agents?os.name=macOS&agents_list=all&status=all&older_than=0s&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         "001",
         "002"
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents were deleted",
   "error": 0
}
  1. The agents information is the following now:
/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ip-172-31-13-132.ec2.internal (server), IP: 127.0.0.1, Active/Local
   ID: 003, Name: macos-1100, IP: any, Active
   ID: 004, Name: macos-1012, IP: any, Active
Get agents in a group (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/groups/default/agents?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "003"
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "004"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
List agents distinct (filter by OS name and ID) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents/stats/distinct?fields=os.name,id&q="os.name=macOS"&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "003",
            "count": 1
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "004",
            "count": 1
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Conclusion: The name of the OS is displayed correctly.

Check the OS name in Manager Database 🟢
  1. Check if the OS name is displayed as expected:
sqlite3 -header -column /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR, OS_MINOR, OS_ARCH FROM AGENT WHERE ID = 4"
os_name     os_major    os_minor    os_arch
----------  ----------  ----------  ----------
macOS       10          12          x86_64

Conclusion: The name of the OS is displayed correctly.

Fresh install (Manager 4.4.0 - Agents 4.4.0) 🟢

Check the OS name in Dashboard 🟡

Note: Maybe the name of the operating system is not displayed correctly, this is because the Wazuh APP package is under development (wazuh/wazuh-dashboard-plugins#4160) and does not have a stable version yet.

Agents overview 🟡

  1. On the Home page, select "Total agents"

image

Inventory data 🟢

  1. On the Home page, select "Total agents"
  2. Select the macOS Sierra agent
  3. Select "Inventory data"

image

Conclusion: The names of the OS are different in all views as expected.

Check the OS name in API 🟢

Before querying the API it is necessary to store the token in an environment variable by running:

TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

The agents information is the following:

/var/ossec/bin/manage_agents -l

Available agents:
   ID: 001, Name: macos-1012, IP: any
   ID: 002, Name: macos-1100, IP: any
Get agent OS 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/syscollector/001/os?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "agent_id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All specified syscollector information was returned",
   "error": 0
}
List agents (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents?os.name=macOS&select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "001"
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "002"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
Get agents overview 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/overview/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
.
.
         {
            "os": {
               "name": "macOS",
               "platform": "darwin",
               "version": "10.12.6"
            },
            "count": 1
         }
.
.
Delete agents (filter by os name) 🟢
  1. Check if the agent is deleted when using the "macOS" OS name:
curl -k -X DELETE "https://localhost:55000/agents?os.name=macOS&agents_list=all&status=all&older_than=0s&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         "001",
         "002"
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents were deleted",
   "error": 0
}
  1. The agents information is the following now:
/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ip-172-31-13-132.ec2.internal (server), IP: 127.0.0.1, Active/Local
   ID: 003, Name: macos-1100, IP: any, Active
   ID: 004, Name: macos-1012, IP: any, Active
Get agents in a group (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/groups/default/agents?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "003"
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "004"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
List agents distinct (filter by OS name and ID) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents/stats/distinct?fields=os.name,id&q="os.name=macOS"&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "count": 1,
            "id": "003"
         },
         {
            "os": {
               "name": "macOS"
            },
            "count": 1,
            "id": "004"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Conclusion: The name of the OS was displayed correctly.

Check the OS name in Manager Database 🟢
  1. Check if the OS name is displayed as expected:
sqlite3 -header -column /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR, OS_MINOR, OS_ARCH FROM AGENT WHERE ID = 4"
os_name     os_major    os_minor    os_arch
----------  ----------  ----------  ----------
macOS       10          12          x86_64

Conclusion: The name of the OS was displayed correctly.

macOS Big Sur 🟡

Upgrade to the fixed version (Manager 4.4.0 | Agents 4.3.8 -> 4.4.0) 🟡

Upgrade from packages 🟢

Note: It was not necessary to test the update through packages, however, we tested it.

  1. Download the package and upgrade Wazuh
sh-3.2# curl -sO https://packages-dev.wazuh.com/warehouse/test/4.4/macos/wazuh-agent-4.4.0-0.commit667da4f.pkg
sh-3.2# installer -pkg wazuh-agent-4.4.0-0.commit667da4f.pkg -target /
installer: Package name is Wazuh Agent
installer: Upgrading at base path /
installer: The upgrade was successful.
  1. Check if Wazuh is running
sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
  1. Check the version of Wazuh
sh-3.2# /Library/Ossec/bin/wazuh-control info
WAZUH_VERSION="v4.4.0"
WAZUH_REVISION="40400"
WAZUH_TYPE="agent"
  1. Check if Wazuh is restarted correctly
sh-3.2# /Library/Ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.4.0 Stopped
Starting Wazuh v4.4.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Conclusion: The agent was upgraded successfully.

Upgrade the agent through WPK 🟡
  1. In the manager, generate the certificates:
openssl req -x509 -new -nodes -newkey rsa:2048 -keyout wpk_root.key -out wpk_root.pem -batch
openssl req -new -nodes -newkey rsa:2048 -keyout wpkcert.key -out wpkcert.csr -subj '/C=US/ST=CA/O=Wazuh'
openssl x509 -req -days 365 -in wpkcert.csr -CA wpk_root.pem -CAkey wpk_root.key -out wpkcert.pem -CAcreateserial
  1. Install requirements to generate the WPK package:
python -m pip install cryptography
yum install make gcc policycoreutils-python automake autoconf libtool unzip
  1. Download the package and the repo (using the last commit of this PR), and enter the repo folder
curl -O https://packages-dev.wazuh.com/warehouse/test/4.4/macos/wazuh-agent-4.4.0-0.commit667da4f.pkg
curl -sL https://github.com/wazuh/wazuh/tarball/272fc4e7f83e789abf39f41b0be3e240e063abd6 | tar zx
cd wazuh-wazuh-272fc4e/
  1. Overwrite the root certificate
cp /home/qa/wpk_root.pem etc/wpk_root.pem
  1. Compile the WPK package:
tools/agent-upgrade/wpkpack.py /home/qa/myagent.wpk /home/qa/wpkcert.pem /home/qa/wpkcert.key /home/qa/wazuh-agent-4.4.0-0.commit667da4f.pkg /home/qa/wazuh-wazuh-272fc4e/upgrade.sh src/init/pkg_installer_mac.sh

Note: /home/qa/myagent.wpk is where the WPK package will be stored.

  1. Copy the generated root certificate into the agent (from the manager):
scp -P <PORT> /home/qa/wpk_root.pem vagrant@<IP>:/Users/vagrant
  1. In the agent, overwrite the root CA with the generated certificate:
cp /Users/vagrant/wpk_root.pem /Library/Ossec/etc/wpk_root.pem
  1. Change the upgrade timeout (see Upgrading macOS agent via WPK returns timeout wazuh#14856) by adding the following configuration to the Manager:
  <task-manager>
    <task_timeout>45m</task_timeout>
  </task-manager>
  1. Restart the manager:
systemctl restart wazuh-manager
  1. Upgrade the agent using the generated WPK package
/var/ossec/bin/agent_upgrade -a 001 -f /home/qa/myagent.wpk -x upgrade.sh

Upgrading...

Failed upgrades:
        Agent 003 status: Send upgrade command error

Note: The ossec.log file, from the agent, does not show any error.

Conclusion: The upgrade was not completed correctly, so I cannot check if the name of the OS is correct or not. Opened issue: wazuh/wazuh#15081

Check the OS name in Dashboard 🟡

Note: Maybe the name of the operating system is not displayed correctly, this is because the Wazuh APP package is under development (wazuh/wazuh-dashboard-plugins#4160) and does not have a stable version yet.

Agents overview 🟡

  1. On the Home page, select "Total agents"

image

Inventory data 🟢

  1. On the Home page, select "Total agents"
  2. Select the macOS Sierra agent
  3. Select "Inventory data"

image

Conclusion: The names of the OS are different in all views as expected.

Check the OS name in API 🟢

Before querying the API it is necessary to store the token in an environment variable by running:

TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

The agents information is the following:

/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ip-172-31-13-132.ec2.internal (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: macos-1012, IP: any, Active
   ID: 002, Name: macos-1100, IP: any, Active
Get agent OS 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/syscollector/001/os?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "agent_id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All specified syscollector information was returned",
   "error": 0
}
List agents (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents?os.name=macOS&select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "001"
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "002"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
Get agents overview 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/overview/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
.
.
         {
            "os": {
               "name": "macOS",
               "platform": "darwin",
               "version": "11.0"
            },
            "count": 1
         },
.
.
Delete agents (filter by os name) 🟢
  1. Check if the agent is deleted when using the "macOS" OS name:
curl -k -X DELETE "https://localhost:55000/agents?os.name=macOS&agents_list=all&status=all&older_than=0s&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         "001",
         "002"
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents were deleted",
   "error": 0
}
  1. The agents information is the following now:
/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ip-172-31-13-132.ec2.internal (server), IP: 127.0.0.1, Active/Local
   ID: 003, Name: macos-1100, IP: any, Active
   ID: 004, Name: macos-1012, IP: any, Active
Get agents in a group (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/groups/default/agents?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "003"
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "004"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
List agents distinct (filter by OS name and ID) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents/stats/distinct?fields=os.name,id&q="os.name=macOS"&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "003",
            "count": 1
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "004",
            "count": 1
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Conclusion: The name of the OS is displayed correctly.

Check the OS name in Manager Database 🟢
  1. Check if the OS name is displayed as expected:
sqlite3 -header -column /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR, OS_MINOR, OS_ARCH FROM AGENT WHERE ID = 3"
os_name     os_major    os_minor    os_arch
----------  ----------  ----------  ----------
macOS       11          0           x86_64

Conclusion: The name of the OS is displayed correctly.

Fresh install (Manager 4.4.0 - Agents 4.4.0) 🟢

Check the OS name in Dashboard 🟡

Note: Maybe the name of the operating system is not displayed correctly, this is because the Wazuh APP package is under development (wazuh/wazuh-dashboard-plugins#4160) and does not have a stable version yet.

Agents overview 🟡

  1. On the Home page, select "Total agents"

image

Inventory data 🟢

  1. On the Home page, select "Total agents"
  2. Select the macOS Sierra agent
  3. Select "Inventory data"

image

Conclusion: The names of the OS are different in all views as expected.

Check the OS name in API 🟢

Before querying the API it is necessary to store the token in an environment variable by running:

TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

The agents information is the following:

/var/ossec/bin/manage_agents -l

Available agents:
   ID: 001, Name: macos-1012, IP: any
   ID: 002, Name: macos-1100, IP: any
Get agent OS 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/syscollector/001/os?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "agent_id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All specified syscollector information was returned",
   "error": 0
}
List agents (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents?os.name=macOS&select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         .
         .
         {
            "os": {
               "name": "macOS"
            },
            "id": "002"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
Get agents overview 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/overview/agents?pretty=true" -H "Authorization: Bearer $TOKEN"
.
.
         {
            "os": {
               "name": "macOS",
               "platform": "darwin",
               "version": "11.0"
            },
            "count": 1
         }
.
.
Delete agents (filter by os name) 🟢
  1. Check if the agent is deleted when using the "macOS" OS name:
curl -k -X DELETE "https://localhost:55000/agents?os.name=Mac+OS+X&agents_list=all&status=all&older_than=0s&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         "001",
         "002"
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents were deleted",
   "error": 0
}
  1. The agents information is the following now:
/var/ossec/bin/manage_agents -l

Available agents:
   ID: 003, Name: macos-1012, IP: any
   ID: 004, Name: macos-1100, IP: any
Get agents in a group (filter by os name) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/groups/default/agents?select=os.name&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "003"
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "004"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}
List agents distinct (filter by OS name and ID) 🟢
  1. Check if the name of the OS is the expected:
curl -k -X GET "https://localhost:55000/agents/stats/distinct?fields=os.name,id&q="os.name=macOS"&pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "os": {
               "name": "macOS"
            },
            "id": "003",
            "count": 1
         },
         {
            "os": {
               "name": "macOS"
            },
            "id": "004",
            "count": 1
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Conclusion: The name of the OS is displayed correctly.

Check the OS name in Manager Database 🟢
  1. Check if the OS name is displayed as expected:
sqlite3 -header -column /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR, OS_MINOR, OS_ARCH FROM AGENT WHERE ID = 4"
os_name     os_major    os_minor    os_arch
----------  ----------  ----------  ----------
macOS       11          0           x86_64

Conclusion: The name of the OS is displayed correctly.

@mauromalara mauromalara mentioned this issue Oct 5, 2022
Closed
@jmv74211 jmv74211 changed the title QA testing - Inaccurate macOS display name Inaccurate macOS display name Oct 10, 2022
@jmv74211
Copy link
Contributor

QA review

  • Type: Manual testing.
  • Status: Requested improvements 🟡
  • Comments: Some issues have been detected that appear to be unrelated to the changes being tested. These are as follows:

    • (1) Error when upgrading a macOS agent through WPK. (cc @wazuh/drop-table)

      During manual testing, a segmentation fault message (from modulesd) appears, this happens after attempting an upgrade through WPK (from 4.3.8 to 4.4.0 using branch: 14729-macos-invalid-os-name)

    • (2) The dashboard does not show correctly the name of the OS (cc @wazuh/frontend).

This will be discussed with the development team, and the PR will be approved or not on this basis.

@jmv74211 jmv74211 mentioned this issue Oct 20, 2022
Closed
3 tasks
@jmv74211
Copy link
Contributor

Closing conclusion 👍🏼
🔵 Proposed to be fixed in future versions or developments

The development has been approved taking into account the following considerations proposed in the QA review:

(1): Error when upgrading a macOS agent through WPK. (cc @wazuh/drop-table) 🔵

This will be investigated and fixed in further developments. Reported issue wazuh#15081.

(2): The dashboard does not show correctly the name of the OS 🔵

Due to we don't officially have a wazuh-dashboard app for 4.4.0 where test it, we have decided to open a new release testing issue, to check this in pre-release stage. Here is the new release testing issue wazuh-qa#3494.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mauromalara mauromalara

Labels
dev-testing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jnasselle @jmv74211 @mauromalara